Add explicit permissions to GitHub workflows (#2140)

Fix code scanning alert about unlimited permissions by applying the
principle of least privilege to all workflow jobs. Each job now has
only the permissions it actually needs:
- Build, test, publish, and compat jobs get contents: read
- publish-docs keeps contents: write (needs to push to gh-pages)
- rules workflow gets empty permissions (no repo access needed)

Committed-By-Agent: claude

Author: mbroshi-stripe

.github/workflows/ci.yml

@@ -18,12 +18,17 @@ on:
       - sdk-release/**
       - feature/**
 
+permissions: {}
+
 jobs:
   build:
     name: Build
 
     runs-on: "ubuntu-24.04"
 
+    permissions:
+      contents: read
+
     steps:
       - uses: extractions/setup-just@v2
       - uses: actions/checkout@master
@@ -49,6 +54,9 @@ jobs:
 
     runs-on: "ubuntu-24.04"
 
+    permissions:
+      contents: read
+
     strategy:
       fail-fast: false
       matrix:
@@ -106,6 +114,8 @@ jobs:
       endsWith(github.actor, '-stripe')
     needs: [build, test]
     runs-on: "ubuntu-24.04"
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@master
       - name: Setup Java
@@ -169,6 +179,9 @@ jobs:
   compat:
     runs-on: "ubuntu-24.04"
 
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2

.github/workflows/rules.yml

@@ -7,6 +7,8 @@ on:
     types:
       - auto_merge_enabled
 
+permissions: {}
+
 jobs:
   require_merge_commit_on_merge_script_pr:
     name: Merge script PRs must create merge commits